Abstract
Password-based authentication is one of the most commonly adopted mechanisms for online security. Choosing strong passwords is crucial for protecting ones' digital identities and assets, as weak passwords can be readily guessable, resulting in a compromise such as unauthorized access. To promote the use of strong passwords on the Web, the National Institute of Standards and Technology (NIST) provides website administrators with password composition policy (PCP) guidelines. We manually inspect popular websites to check if their password policies conform to NIST's PCP guidelines by generating passwords that meet each criterion and testing the 100 popular websites. Our findings reveal that a considerable number of web sites (on average, 53.5 %) do not comply with the guidelines, which could result in password breaches.
Original language | English |
---|---|
Title of host publication | Proceeding - 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023 |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
Pages | 12-20 |
Number of pages | 9 |
ISBN (Electronic) | 9798350312362 |
DOIs | |
State | Published - 2023 |
Externally published | Yes |
Event | 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023 - San Francisco, United States Duration: May 22 2023 → May 25 2023 |
Publication series
Name | Proceeding - 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023 |
---|
Conference
Conference | 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023 |
---|---|
Country/Territory | United States |
City | San Francisco |
Period | 05/22/23 → 05/25/23 |
Funding
We thank the anonymous reviewers for their constructive feedback. The authors gratefully acknowledge the support of NSF (2210137). This work was supported by Science Alliance’s StART program and a gift from Google exploreCSR, and partly supported by Institute of Information & communications Technology Planning & Evaluation (IITP) grant funded by the Korean government (Ministry of Science and ICT) (No. 2022-0-01199; Graduate School of Convergence Security (Sungkyunkwan university)). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsor.